This is the accessible text file for GAO report number GAO-12-507T
entitled 'Cybersecurity: Challenges in Securing the Modernized
Electricity Grid' which was released on February 28, 2012.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as
part of a longer term project to improve GAO products' accessibility.
Every attempt has been made to maintain the structural and data
integrity of the original printed product. Accessibility features,
such as text descriptions of tables, consecutively numbered footnotes
placed at the end of the file, and the text of agency comment letters,
are provided but may not exactly duplicate the presentation or format
of the printed version. The portable document format (PDF) file is an
exact electronic replica of the printed version. We welcome your
feedback. Please E-mail your comments regarding the contents or
accessibility features of this document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
United States Government Accountability Office:
GAO:
Testimony:
Before the Subcommittee on Oversight and Investigations, Committee on
Energy and Commerce, House of Representatives:
For Release on Delivery:
Expected at 10:15 a.m. EST:
Tuesday, February 28, 2012:
Cybersecurity:
Challenges in Securing the Modernized Electricity Grid:
Statement of Gregory C. Wilshusen, Director:
Information Security Issues:
David C. Trimble, Director:
Natural Resources and Environment:
GAO-12-507T:
GAO Highlights:
Highlights of GAO-12-507T, a testimony before the Subcommittee on
Oversight and Investigations, Committee on Energy and Commerce, House
of Representatives.
Why GAO Did This Study:
The electric power industry is increasingly incorporating information
technology (IT) systems and networks into its existing infrastructure
as part of nationwide efforts—-commonly referred to as the “smart grid”
-—aimed at improving reliability and efficiency and facilitating the
use of alternative energy sources such as wind and solar. Smart grid
technologies include metering infrastructure (“smart meters”) that
enable two-way communication between customers and electricity
utilities, smart components that provide system operators with
detailed data on the conditions of transmission and distribution
systems, and advanced methods for controlling equipment. The use of
these systems can bring a number of benefits, such as fewer and
shorter outages, lower electricity rates, and an improved ability to
respond to attacks on the electric grid. However, this increased
reliance on IT systems and networks also exposes the grid to
cybersecurity vulnerabilities, which can be exploited by attackers.
Moreover, for nearly a decade, GAO has identified the protection of
systems supporting our nation’s critical infrastructure-—which include
the electric grid—-as a governmentwide high-risk area.
GAO is providing a statement describing (1) cyber threats facing cyber-
reliant critical infrastructures and (2) key challenges to securing
smart grid systems and networks. In preparing this statement, GAO
relied on its previously published work in this area.
What GAO Found:
The threats to systems supporting critical infrastructures are
evolving and growing. In a February 2011 testimony, the Director of
National Intelligence noted that there had been a dramatic increase in
cyber activity targeting U.S. computers and systems in the previous
year, including a more than tripling of the volume of malicious
software since 2009. Varying types of threats from numerous sources
can adversely affect computers, software, networks, organizations,
entire industries, and the Internet itself. These include both
unintentional and intentional threats, and may come in the form of
targeted or untargeted attacks from criminal groups, hackers,
disgruntled employees, hostile nations, or terrorists. The
interconnectivity between information systems, the Internet, and other
infrastructures can amplify the impact of these threats, potentially
affecting the operations of critical infrastructures, the security of
sensitive information, and the flow of commerce. Moreover, the smart
grid’s reliance on IT systems and networks exposes the electric grid
to potential and known cybersecurity vulnerabilities, which could be
exploited by attackers.
As GAO reported in January 2011, securing smart grid systems and
networks presented a number of key challenges that required attention
by government and industry. These included:
* A lack of a coordinated approach to monitor industry compliance with
voluntary standards. The Federal Energy Regulatory Commission (FERC)
is responsible for regulating aspects of the electric power industry,
which includes adopting cybersecurity and other standards it deems
necessary to ensure smart grid functionality and interoperability.
However, FERC had not, in coordination with other regulators,
developed an approach to monitor the extent to which industry will
follow the voluntary smart grid standards it adopts. As a result, it
would be difficult for FERC and other regulators to know whether a
voluntary approach to standards setting is effective.
* A lack of security features built into smart grid devices. According
to a panel of experts convened by GAO, smart meters had not been
designed with a strong security architecture and lacked important
security features. Without securely designed systems, utilities would
be at risk of attacks occurring undetected.
* A lack of an effective information-sharing mechanism within the
electricity industry. While the industry has an information-sharing
center, it had not fully addressed the need for sharing cybersecurity
information in a safe and secure way. Without quality processes for
sharing information, utilities may lack information needed to protect
their assets against attackers.
* A lack of metrics for evaluating cybersecurity. The industry lacked
metrics for measuring the effectiveness of cybersecurity controls,
making it difficult to measure the extent to which investments in
cybersecurity improve the security of smart grid systems. Until such
metrics are developed, utilities may not invest in security in a cost-
effective manner or be able to make informed decisions about
cybersecurity investments.
GAO made several recommendations to FERC aimed at addressing these
challenges. The commission agreed with these recommendations and
described steps it is taking to implement them.
View [hyperlink, http://www.gao.gov/products/GAO-12-507T]. For more
information, contact Gregory C. Wilshusen at (202) 512-6244 or
wilshuseng@gao.gov or David C. Trimble at (202) 512-3841 or
trimbled@gao.gov.
[End of section]
Chairman Stearns, Ranking Member DeGette, and Members of the
Subcommittee:
Thank you for the opportunity to testify at today's hearing on
assessments of security for the smart grid.
As you know, the electric power industry is increasingly incorporating
information technology (IT) systems and networks into its existing
infrastructure (e.g., electricity networks including power lines and
customer meters) as part of nationwide efforts--commonly referred to
as the "smart grid"--aimed at improving reliability and efficiency and
facilitating the use of alternative energy sources (e.g., wind and
solar). Along with these anticipated benefits, however, cybersecurity
and industry experts have expressed concern that, if not implemented
securely, smart grid systems will be vulnerable to attacks that could
result in widespread loss of electrical services essential to
maintaining our national economy and security.
In addition, since 2003 we have identified protecting systems
supporting our nation's critical infrastructure (which includes the
electric grid) as a governmentwide high-risk area, and we continue to
do so in the most recent update to our high-risk list.[Footnote 1]
In our testimony today, we will describe (1) cyber threats facing
cyber-reliant critical infrastructures, which include the electric
grid,[Footnote 2] and (2) key challenges to securing smart grid
systems and networks. In preparing this statement in February 2012, we
relied on our previous work in this area, including a review of
efforts to secure the smart grid and associated challenges.[Footnote
3] The products upon which this statement is based contain detailed
overviews on the scope of our reviews and the methodology we used. The
work on which this statement is based was performed in accordance with
generally accepted government auditing standards. Those standards
require that we plan and perform audits to obtain sufficient,
appropriate evidence to provide a reasonable basis for our findings
and conclusions. We believe that the evidence obtained provided a
reasonable basis for our findings and conclusions based on our audit
objectives.
Background:
The electricity industry, as shown in figure 1, is composed of four
distinct functions: generation, transmission, distribution, and system
operations. Once electricity is generated--whether by burning fossil
fuels; through nuclear fission; or by harnessing wind, solar,
geothermal, or hydro energy--it is generally sent through high-
voltage, high-capacity transmission lines to local electricity
distributors. Once there, electricity is transformed into a lower
voltage and sent through local distribution lines for consumption by
industrial plants, businesses, and residential consumers. Because
electric energy is generated and consumed almost instantaneously, the
operation of an electric power system requires that a system operator
constantly balance the generation and consumption of power.
Figure 1: Functions of the Electricity Industry:
[Refer to PDF for image: illustration]
Flow of power:
Generators:
Transmission system;
System operations;
Substation;
Distribution system to final customers:
Offices;
Homes;
Factories.
System operations coordinates the balancing of the generation and
consumption of power for final customers.
Source: GAO analysis.
[End of figure]
Utilities own and operate electricity assets, which may include
generation plants, transmission lines, distribution lines, and
substations--structures often seen in residential and commercial areas
that contain technical equipment such as switches and transformers to
ensure smooth, safe flow of current and regulate voltage. Utilities
may be owned by investors, municipalities, and individuals (as in
cooperative utilities). System operators--sometimes affiliated with a
particular utility or sometimes independent and responsible for
multiple utility areas--manage the electricity flows. These system
operators manage and control the generation, transmission, and
distribution of electric power using control systems--IT-and network-
based systems that monitor and control sensitive processes and
physical functions, including opening and closing circuit breakers.
[Footnote 4] As we have previously reported, the effective functioning
of the electricity industry is highly dependent on these control
systems.[Footnote 5] However, for many years, aspects of the
electricity network lacked (1) adequate technologies--such as sensors--
to allow system operators to monitor how much electricity was flowing
on distribution lines, (2) communications networks to further
integrate parts of the electricity grid with control centers, and (3)
computerized control devices to automate system management and
recovery.
Smart Grid Aims to Modernize the Electricity Infrastructure:
As the electricity industry has matured and technology has advanced,
utilities have begun taking steps to update the electricity grid--the
transmission and distribution systems--by integrating new technologies
and additional IT systems and networks. Though utilities have
regularly taken such steps in the past, industry and government
stakeholders have begun to articulate a broader, more integrated
vision for transforming the electricity grid into one that is more
reliable and efficient; facilitates alternative forms of generation,
including renewable energy; and gives consumers real-time information
about fluctuating energy costs.
This vision--the smart grid--would increase the use of IT systems and
networks and two-way communication to automate actions that system
operators formerly had to make manually. Smart grid modernization is
an ongoing process, and initiatives have commonly involved installing
advanced metering infrastructure (smart meters) on homes and
commercial buildings that enable two-way communication between the
utility and customer. Other initiatives include adding "smart"
components to provide the system operator with more detailed data on
the conditions of the transmission and distribution systems and better
tools to observe the overall condition of the grid (referred to as
"wide-area situational awareness"). These include advanced, smart
switches on the distribution system that communicate with each other
to reroute electricity around a troubled line and high-resolution,
time-synchronized monitors--called phasor measurement units--on the
transmission system. Figure 2 illustrates one possible smart grid
configuration, though utilities making smart grid investments may opt
for alternative configurations depending on cost, customer needs, and
local conditions.
Figure 2: Common Smart Grid Components:
[Refer to PDF for image: illustration]
System operator control and data center:
* Advanced control methods, such as distribution automation;
* Improved interfaces, such as distribution system modeling software.
Wind turbines;
Generator;
Transmission system;
Phasor measurement unit;
Two-way communication between System operator control and data center
and Substation;
Distribution system, including Smart switches;
Factory;
Offices;
Homes:
Smart meter with Substation;
Home area network;
Smart appliances;
Home monitoring of electricity data;
Electric vehicle.
Source: GAO analysis.
[End of figure]
According to the National Energy Technology Laboratory, a Department
of Energy (DOE) national laboratory supporting smart grid efforts,
smart grid systems fall into several different categories:
* Integrated communications, such as broadband over power line
communication technologies or wireless communications technologies.
* Advanced components, such as smart switches, transformers, cables,
and other devices; storage devices, such as plug-in hybrid electric
vehicles and advanced batteries; and grid-friendly smart home
appliances.
* Advanced control methods, including real-time monitoring and control
of substation and distribution equipment.
* Sensing and measurement technologies, such as smart meters and
phasor measurement units.
* Improved interfaces and decision support, which includes software
tools to analyze the health of the electricity system and real-time
digital simulators to study and test systems.
The use of smart grid systems may have a number of benefits, including
improved reliability from fewer and shorter outages, downward pressure
on electricity rates resulting from the ability to shift peak demand,
an improved ability to shift to alternative sources of energy, and an
improved ability to detect and respond to potential attacks on the
grid.
Regulation of the Electricity Industry:
Both the federal government and state governments have authority for
overseeing the electricity industry. For example, the Federal Energy
Regulatory Commission (FERC) regulates rates for wholesale electricity
sales and transmission of electricity in interstate commerce. This
includes approving whether to allow utilities to recover the costs of
investments they make to the transmission system, such as smart grid
investments. Meanwhile, local distribution and retail sales of
electricity are generally subject to regulation by state public
utility commissions.
State and federal authorities also play key roles in overseeing the
reliability of the electric grid. State regulators generally have
authority to oversee the reliability of the local distribution system.
The North American Electric Reliability Corporation (NERC) is the
federally designated U.S. Electric Reliability Organization, and is
overseen by FERC. NERC has responsibility for conducting reliability
assessments and enforcing mandatory standards to ensure the
reliability of the bulk power system--i.e., facilities and control
systems necessary for operating the transmission network and certain
generation facilities needed for reliability. NERC develops
reliability standards collaboratively through a deliberative process
involving utilities and others in the industry, which are then sent to
FERC for approval. These standards include critical infrastructure
protection standards for protecting electric utility-critical and
cyber-critical assets.
Federal Smart Grid Activities:
The Energy Independence and Security Act of 2007 (EISA)[Footnote 6]
established federal support for the modernization of the electricity
grid and required actions by a number of federal agencies, including
the National Institute of Standards and Technology (NIST), FERC, and
DOE. With regard to cybersecurity, the act called for NIST and FERC to
take the following actions:
* NIST was to coordinate development of a framework that includes
protocols and model standards for information management to achieve
interoperability of smart grid devices and systems. As part of its
efforts to accomplish this, NIST planned to identify cybersecurity
standards for these systems and also identified the need to develop
guidelines for organizations such as electric companies on how to
securely implement smart grid systems. In January 2011,[Footnote 7] we
reported that NIST had identified 11 standards involving cybersecurity
that support smart grid interoperability and had issued a first
version of a cybersecurity guideline.[Footnote 8]
* FERC was to adopt standards resulting from NIST's efforts that it
deemed necessary to ensure smart grid functionality and
interoperability.
The act also authorized DOE to establish two initiatives to facilitate
the development of industry smart grid efforts. These were the Smart
Grid Investment Grant Program and the Smart Grid Regional
Demonstration Initiative. DOE made $3.5 billion and $685 million of
American Recovery and Reinvestment Act ("Recovery Act")[Footnote 9]
funds available for these two initiatives, respectively. The Smart
Grid Investment Grant Program provided grant awards to utilities in
multiple states to stimulate the rapid deployment and integration of
smart grid technologies, while the Smart Grid Regional Demonstration
Initiative was to fund regional demonstrations to verify technology
viability, quantify costs and benefits, and validate new business
models for the smart grid at a scale that can be readily adopted
around the country. The federal government has also undertaken various
other smart-grid-related initiatives, including funding technical
research and development, data collection, and coordination activities.
In January 2012, the DOE Inspector General reported that cybersecurity
plans submitted by Smart Grid Investment Grant Program recipients were
not always complete or they did not describe intended security
controls in sufficient detail.[Footnote 10] The report also stated
that DOE officials approved cybersecurity plans for smart grid
projects even though some of the plans contained shortcomings that
could result in poorly implemented controls. The report recommended,
among other things, that DOE ensure that grantees' cybersecurity plans
were complete, including thorough descriptions of potential security
risks and related mitigation through necessary controls. The
responsible DOE office stated that it will continue to ensure that the
security plans are complete and are implemented properly.
Smart Grid Is Potentially Vulnerable to a Variety of Cyber Threats:
Threats to systems supporting critical infrastructure--which includes
the electricity industry and its transmission and distribution
systems--are evolving and growing. In February 2011, the Director of
National Intelligence testified that, in the past year, there had been
a dramatic increase in malicious cyber activity targeting U.S.
computers and networks, including a more than tripling of the volume
of malicious software since 2009.[Footnote 11] Different types of
cyber threats from numerous sources may adversely affect computers,
software, networks, organizations, entire industries, or the Internet.
Cyber threats can be unintentional or intentional. Unintentional
threats can be caused by software upgrades or maintenance procedures
that inadvertently disrupt systems. Intentional threats include both
targeted and untargeted attacks from a variety of sources, including
criminal groups, hackers, disgruntled employees, foreign nations
engaged in espionage and information warfare, and terrorists.
Moreover, these groups have a wide array of cyber exploits at their
disposal. Table 1 provides descriptions of common types of cyber
exploits.
Table 1: Common Cyber Exploits:
Type of exploit: Cross-site scripting;
Description: An attack that uses third-party web resources to run
script within the victim's web browser or scriptable application. This
occurs when a browser visits a malicious website or clicks a malicious
link. The most dangerous consequences occur when this method is used
to exploit additional vulnerabilities that may permit an attacker to
steal cookies (data exchanged between a web server and a browser), log
key strokes, capture screen shots, discover and collect network
information, and remotely access and control the victim's machine.
Type of exploit: Denial-of-service;
Description: An attack that prevents or impairs the authorized use of
networks, systems, or applications by exhausting resources.
Type of exploit: Distributed denial-of-service;
Description: A variant of the denial-of-service attack that uses
numerous hosts to perform the attack.
Type of exploit: Logic bomb;
Description: A piece of programming code intentionally inserted into a
software system that will cause a malicious function to occur when one
or more specified conditions are met.
Type of exploit: Phishing; Description: A digital form of social
engineering that uses authentic-looking, but fake, e-mails to request
information from users to direct them to a fake website that requests
information.
Type of exploit: Passive wiretapping;
Description: The monitoring or recording of data, such as passwords
transmitted in clear text, while they are being transmitted over a
communications link. This is done without altering or affecting the
data.
Type of exploit: SQL injection;
Description: An attack that involves the alteration of a database
search in a web-based application, which can be used to obtain
unauthorized access to sensitive information in a database.
Type of exploit: Trojan horse;
Description: A computer program that appears to have a useful function
but also has a hidden and potentially malicious function that evades
security mechanisms by, for example, masquerading as a useful program
that a user would likely execute.
Type of exploit: Virus;
Description: A computer program that can copy itself and infect a
computer without the permission or knowledge of the user. A virus
might corrupt or delete data on a computer, use e-mail programs to
spread itself to other computers, or even erase everything on a hard
disk. Unlike a computer worm, a virus requires human involvement
(usually unwitting) to propagate.
Type of exploit: War driving;
Description: The method of driving through cities and neighborhoods
with a wireless-equipped computer--sometimes with a powerful antenna--
searching for unsecured wireless networks.
Type of exploit: Worm;
Description: A self-replicating, self-propagating, self-contained
program that uses network mechanisms to spread itself. Unlike computer
viruses, worms do not require human involvement to propagate.
Type of exploit: Zero-day exploit;
Description: An exploit that takes advantage of a security
vulnerability previously unknown to the general public. In many cases,
the exploit code is written by the same person who discovered the
vulnerability. By writing an exploit for the previously unknown
vulnerability, the attacker creates a potent threat since the
compressed time frame between public discoveries of both makes it
difficult to defend against.
Source: GAO analysis of data from NIST, the United States Computer
Emergency Readiness Team, and industry reports.
[End of table]
The potential impact of these threats is amplified by the connectivity
between information systems, the Internet, and other infrastructures,
creating opportunities for attackers to disrupt critical services,
including electrical power. For example, in May 2008, we reported that
the corporate network of the Tennessee Valley Authority (TVA)--the
nation's largest public power company, which generates and distributes
power in an area of about 80,000 square miles in the southeastern
United States--contained security weaknesses that could lead to the
disruption of control systems networks and devices connected to that
network.[Footnote 12] We made 19 recommendations to improve the
implementation of information security program activities for the
control systems governing TVA's critical infrastructures and 73
recommendations to address specific weaknesses in security controls.
TVA concurred with the recommendations and has taken steps to
implement them. As government, private sector, and personal activities
continue to move to networked operations, the threat will continue to
grow.
We have reported[Footnote 13] that cyber incidents can affect the
operations of energy facilities, as the following examples illustrate:
* Stuxnet. In July 2010, a sophisticated computer attack known as
Stuxnet was discovered. It targeted control systems used to operate
industrial processes in the energy, nuclear, and other critical
sectors. It is designed to exploit a combination of vulnerabilities to
gain access to its target and modify code to change the process.
* Browns Ferry power plant. In August 2006, two circulation pumps at
Unit 3 of the Browns Ferry, Alabama, nuclear power plant failed,
forcing the unit to be shut down manually. The failure of the pumps
was traced to excessive traffic on the control system network,
possibly caused by the failure of another control system device.
* Northeast power blackout. In August 2003, failure of the alarm
processor in the control system of FirstEnergy, an Ohio-based electric
utility, prevented control room operators from having adequate
situational awareness of critical operational changes to the
electrical grid. When several key transmission lines in northern Ohio
tripped due to contact with trees, they initiated a cascading failure
of 508 generating units at 265 power plants across eight states and a
Canadian province.
* Davis-Besse power plant. The Nuclear Regulatory Commission confirmed
that in January 2003, the Microsoft SQL Server worm known as Slammer
infected a private computer network at the idled Davis-Besse nuclear
power plant in Oak Harbor, Ohio, disabling a safety monitoring system
for nearly 5 hours. In addition, the plant's process computer failed,
and it took about 6 hours for it to become available again.
Smart Grid Faces Cybersecurity Vulnerabilities:
While presenting significant potential benefits, the smart grid vision
and its increased reliance on IT systems and networks also expose the
electric grid to potential and known cybersecurity vulnerabilities,
which could be exploited by a wide array of cyber threats. This
creates an increased risk to the smooth and reliable operation of the
grid. As we and others have reported,[Footnote 14] these
vulnerabilities include:
* an increased number of entry points and paths that can be exploited
by potential adversaries and other unauthorized users;
* the introduction of new, unknown vulnerabilities due to an increased
use of new system and network technologies;
* wider access to systems and networks due to increased connectivity;
and:
* an increased amount of customer information being collected and
transmitted, providing incentives for adversaries to attack these
systems and potentially putting private information at risk of
unauthorized disclosure and use.
We and others have also reported that smart grid and related systems
have known cyber vulnerabilities. For example, cybersecurity experts
have demonstrated that certain smart meters can be successfully
attacked, possibly resulting in disruption to the electricity grid. In
addition, we have reported that control systems used in industrial
settings such as electricity generation have vulnerabilities that
could result in serious damages and disruption if exploited.[Footnote
15] Further, in 2009, the Department of Homeland Security, in
cooperation with DOE, ran a test that demonstrated that a
vulnerability commonly referred to as "Aurora" had the potential to
allow unauthorized users to remotely control, misuse, and cause damage
to a small commercial electric generator. Moreover, in 2008, the
Central Intelligence Agency reported that malicious activities against
IT systems and networks have caused disruption of electric power
capabilities in multiple regions overseas, including a case that
resulted in a multicity power outage.[Footnote 16]
Securing Smart Grid Systems and Networks Presents Challenges:
In our January 2011 report, we identified a number of key challenges
that industry and government stakeholders faced in ensuring the
cybersecurity of the systems and networks that support our nation's
electricity grid.[Footnote 17] Among others, these challenges included
the following:
* Lack of a coordinated approach to monitor whether industry follows
voluntary standards. As mentioned above, under EISA, FERC is
responsible for adopting cybersecurity and other standards that it
deems necessary to ensure smart grid functionality and
interoperability. However, FERC had not developed an approach
coordinated with other regulators to monitor, at a high level, the
extent to which industry will follow the voluntary smart grid
standards it adopts. There had been initial efforts by regulators to
share views, through, for example, a collaborative dialogue between
FERC and the National Association of Regulatory Utility Commissioners
(NARUC), which had discussed the standards-setting process in general
terms. Nevertheless, according to officials from FERC and NARUC, FERC
and the state public utility commissions had not established a joint
approach for monitoring how widely voluntary smart grid standards are
followed in the electricity industry or developed strategies for
addressing any gaps. Moreover, FERC had not coordinated in such a way
with groups representing public power or cooperative utilities, which
are not routinely subject to FERC's or the states' regulatory
jurisdiction for rate setting. We noted that without a good
understanding of whether utilities and manufacturers are following
smart grid standards, it would be difficult for FERC and other
regulators to know whether a voluntary approach to standards setting
is effective or if changes are needed.[Footnote 18]
* Lack of security features being built into certain smart grid
systems. Security features had not been consistently built into smart
grid devices. For example, according to experts from a panel convened
by GAO, currently available smart meters had not been designed with a
strong security architecture and lacked important security features,
such as event logging[Footnote 19] and forensics capabilities, which
are needed to detect and analyze attacks. In addition, these experts
stated that smart grid home area networks--used for managing the
electricity usage of appliances and other devices in the home--did not
have adequate security built in, thus increasing their vulnerability
to attack. Without securely designed smart grid systems, utilities may
not be able to detect and analyze attacks, increasing the risk that
attacks would succeed and utilities would be unable to prevent them
from recurring.
* Lack of an effective mechanism for sharing cybersecurity information
within the electricity industry. The electricity industry lacked an
effective mechanism to disclose information about smart grid
cybersecurity vulnerabilities, incidents, threats, lessons learned,
and best practices in the industry. For example, experts stated that
while the industry has an information-sharing center, it had not fully
addressed these information needs. According to these experts,
information regarding incidents such as both successful and
unsuccessful attacks must be able to be shared in a safe and secure
way; this is crucial to avoid publicly revealing the reported
organization and penalizing entities actively engaged in corrective
action. Such information sharing across the industry could provide
important information regarding the level of attempted attacks and
their methods, which could help grid operators better defend against
them. In developing an approach to cybersecurity information sharing,
the industry could draw upon the practices and approaches of other
industries. Without quality processes for information sharing,
utilities may not have the information needed to adequately protect
their assets against attackers.
* Lack of industry metrics for evaluating cybersecurity. The
electricity industry was also challenged by a lack of cybersecurity
metrics, making it difficult to measure the extent to which
investments in cybersecurity improve the security of smart grid
systems. Experts noted that while such metrics[Footnote 20] are
difficult to develop, they could help in comparing the effectiveness
of competing solutions and determining what mix of solutions best
secure systems. Further, our panel of experts noted that having
metrics would help utilities develop a business case for cybersecurity
by helping to show the return on a particular investment. Until such
metrics are developed, increased risk exists that utilities will not
invest in security in a cost-effective manner or be able to have the
information needed to make informed decisions about their
cybersecurity investments.
Accordingly, in our January 2011 report, we made multiple
recommendations to FERC, including that it develop an approach to
coordinating with state regulators to evaluate the extent to which
utilities and manufacturers are following voluntary smart grid
standards and develop strategies for addressing any gaps in compliance
with standards that are identified as a result. We further recommended
that FERC, working with NERC as appropriate, assess whether commission
efforts should address any of the cybersecurity challenges identified
in our report. FERC agreed with our recommendations and described
steps the commission intended to take to address them. We are
currently working with FERC officials to determine the status of their
efforts to address these recommendations.
In summary, the electricity industry is in the midst of a major
transformation as a result of smart grid initiatives and this has led
to significant investments by many entities, including utilities,
private companies, and the federal government. While these initiatives
hold the promise of significant benefits, including a more resilient
electric grid, lower energy costs, and the ability to tap into
alternative sources of power, the prevalence of cyber threats aimed at
the nation's critical infrastructure and the cyber vulnerabilities
arising from the use of new technologies highlight the importance of
securing smart grid systems. In particular, it will be important for
federal regulators and other stakeholders to work closely with the
private sector to address key cybersecurity challenges posed by the
transition to smart grid technology. While no system can be made 100
percent secure, proven security strategies could help reduce risk to
an acceptable level.
Chairman Stearns, Ranking Member DeGette, and Members of the
Subcommittee, this completes our statement. We would be happy to
answer any questions you have at this time.
Contact and Acknowledgments:
If you have any questions regarding this statement, please contact
Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov or David
C. Trimble at (202) 512-3841 or trimbled@gao.gov. Other key
contributors to this statement include Michael Gilmore (Assistant
Director), Jon R. Ludwigson (Assistant Director), Paige Gilbreath,
Barbarol J. James, and Lee A. McCracken.
[End of section]
Footnotes:
[1] GAO's biennial high-risk list identifies government programs that
have greater vulnerability to fraud, waste, abuse, and mismanagement
or need transformation to address economy, efficiency, or
effectiveness challenges. We have designated federal information
security as a high-risk area since 1997; in 2003, we expanded this
high-risk area to include protecting systems supporting our nation's
critical infrastructure--referred to as cyber-critical infrastructure
protection, or cyber CIP. See, most recently, GAO, High-Risk Series:
An Update, [hyperlink, http://www.gao.gov/products/GAO-11-278]
(Washington, D.C.: February 2011).
[2] Federal policy established 18 critical infrastructure sectors:
banking and finance; chemical; commercial facilities; communications;
critical manufacturing; dams; defense industrial base; emergency
services; energy; food and agriculture; government facilities; health
care and public health; information technology; national monuments and
icons; nuclear reactors, materials, and waste; postal and shipping;
transportation systems; and water.
[3] GAO, Electricity Grid Modernization: Progress Being Made on
Cybersecurity Guidelines, but Key Challenges Remain to be Addressed,
[hyperlink, http://www.gao.gov/products/GAO-11-117] (Washington, D.C.:
Jan. 12, 2011).
[4] Circuit breakers are devices used to open or close electric
circuits. If a transmission or distribution line is in trouble, a
circuit breaker can disconnect it from the rest of the system.
[5] GAO, Critical Infrastructure Protection: Multiple Efforts to
Secure Control Systems Are Under Way, but Challenges Remain,
[hyperlink, http://www.gao.gov/products/GAO-07-1036] (Washington,
D.C.: Sept. 10, 2007).
[6] Pub. L. No. 110-140 (Dec. 19, 2007).
[7] [hyperlink, http://www.gao.gov/products/GAO-11-117].
[8] NIST Special Publication 1108, NIST Framework and Roadmap for
Smart Grid Interoperability Standards, Release 1.0, January 2010 and
NIST Interagency Report 7628, Guidelines for Smart Grid Cyber
Security, August 2010.
[9] Pub. L. No. 111-5 (Feb. 17, 2009).
[10] U.S. Department of Energy, Office of Inspector General, Office of
Audits and Inspections, Audit Report: The Department's Management of
the Smart Grid Investment Grant Program, OAS-RA-12-04 (Washington,
D.C.: Jan. 20, 2012).
[11] Director of National Intelligence, Statement for the Record on
the Worldwide Threat Assessment of the U.S. Intelligence Community,
statement before the Senate Select Committee on Intelligence (Feb. 16,
2011).
[12] GAO, Information Security: TVA Needs to Address Weaknesses in
Control Systems and Networks, [hyperlink,
http://www.gao.gov/products/GAO-08-526] (Washington, D.C.: May 21,
2008).
[13] [hyperlink, http://www.gao.gov/products/GAO-07-1036] and
[hyperlink, http://www.gao.gov/products/GAO-12-92].
[14] [hyperlink, http://www.gao.gov/products/GAO-11-117].
[15] [hyperlink, http://www.gao.gov/products/GAO-07-1036].
[16] The White House, Cyberspace Policy Review: Assuring a Trusted and
Resilient Information and Communications Infrastructure (Washington,
D.C.: May 29, 2009).
[17] [hyperlink, http://www.gao.gov/products/GAO-11-117].
[18] In an order issued on July 19, 2011, FERC reported that it had
found insufficient consensus to institute a rulemaking proceeding to
adopt Smart Grid interoperability standards identified by NIST as
ready for consideration by regulatory authorities. While FERC
dismissed the rulemaking, it encouraged utilities, smart grid product
manufacturers, regulators, and other smart grid stakeholders to
actively participate in the NIST interoperability framework process to
work on the development of interoperability standards and to refer to
that process for guidance on smart grid standards. Despite this
result, we believe our recommendations to FERC in GAO-11-117, with
which FERC concurred, remain valid and should be acted upon as
consensus is reached and standards adopted.
[19] Event logging is the capability of an IT system to record events
occurring within an organization's systems and networks, including
those related to computer security.
[20] Metrics can be used for, among other things, measuring the
effectiveness of cybersecurity controls for detecting and blocking
cyber attacks.
[End of section]
GAO’s Mission:
The Government Accountability Office, the audit, evaluation, and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the
performance and accountability of the federal government for the
American people. GAO examines the use of public funds; evaluates
federal programs and policies; and provides analyses, recommendations,
and other assistance to help Congress make informed oversight, policy,
and funding decisions. GAO’s commitment to good government is
reflected in its core values of accountability, integrity, and
reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO’s website [hyperlink, http://www.gao.gov]. Each
weekday afternoon, GAO posts on its website newly released reports,
testimony, and correspondence. To have GAO e-mail you a list of newly
posted products, go to [hyperlink, http://www.gao.gov] and select “E-
mail Updates.”
Order by Phone:
The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black
and white. Pricing and ordering information is posted on GAO’s
website, [hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
Connect with GAO:
Connect with GAO on facebook, flickr, twitter, and YouTube.
Subscribe to our RSS Feeds or E mail Updates. Listen to our Podcasts.
Visit GAO on the web at [hyperlink, http://www.gao.gov].
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Website: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm];
E-mail: fraudnet@gao.gov;
Automated answering system: (800) 424-5454 or (202) 512-7470.
Congressional Relations:
Katherine Siggerud, Managing Director, siggerudk@gao.gov, (202) 512-4400
U.S. Government Accountability Office, 441 G Street NW, Room 7125
Washington, DC 20548.
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, DC 20548.